DllUnregisterServer Function Call Via Msiexec.EXE
Detects MsiExec loading a DLL and calling its DllUnregisterServer function
Sigma rule (View on GitHub)
1title: DllUnregisterServer Function Call Via Msiexec.EXE
2id: 84f52741-8834-4a8c-a413-2eb2269aa6c8
3status: test
4description: Detects MsiExec loading a DLL and calling its DllUnregisterServer function
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
7 - https://lolbas-project.github.io/lolbas/Binaries/Msiexec/
8 - https://twitter.com/_st0pp3r_/status/1583914515996897281
9author: frack113
10date: 2022-04-24
11modified: 2024-03-13
12tags:
13 - attack.defense-evasion
14 - attack.t1218.007
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection_img:
20 - Image|endswith: '\msiexec.exe'
21 - OriginalFileName: '\msiexec.exe'
22 selection_flag:
23 CommandLine|contains|windash: ' -z '
24 selection_dll:
25 CommandLine|contains: '.dll'
26 condition: all of selection_*
27falsepositives:
28 - Unknown
29level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Msiexec.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- MSI Installation From Web
- MsiExec Web Install
- Msiexec Quiet Installation
- PowerShell WMI Win32_Product Install MSI
- Suspicious MsiExec Embedding Parent